Professional Documents
Culture Documents
Wireless LANs are a breeding ground for new attacks because the technology is young and organic growth creates the potential for a huge payoff for hackers.
Pete Lindstrom, Spire Security
3 WHITE PAPER: Wireless LAN Security: What Hackers Know That You Dont
Through yearend 2004, the employees ability to install unmanaged access points will result in more than 50% of enterprises exposing sensitive information through wireless networks.
Gartner
Intruders can convert laptops into soft access points (APs) by either using a variety of software programs, such as HostAP , Hotspotter, or Airsnark, or, by simply using a USB wireless adapter. Using soft APs, a hacker can cause a legitimate user to connect to the hackers own laptop, compromising that users machine.
Unmanaged wireless LANs can jeopardize entire enterprise networks, data, and operations. Forrester Research, Inc.
4 WHITE PAPER: Wireless LAN Security: What Hackers Know That You Dont
Tool
NetStumbler
Website
http://www.netstumbler.com
Description
Freeware wireless access point identifier that listens for SSIDs and sends beacons as probes that search for access points Freeware wireless sniffer and monitor that passively monitors wireless traffic and sorts data to identify SSIDs, MAC addresses, channels, and connection speeds Freeware wireless LAN discovery tool that uses brute force to identify low traffic access points. (Your first knife on a foreign network. ) Freeware wireless LAN analyzer that interactively browses captured data, viewing summary and detail information for all observed wireless traffic Freeware encryption breaker that passively monitors transmissions, computing the encryption key when enough packets have been gathered Toolkit that converts a wireless LAN user station to function as an access point. (Available for wireless LAN cards that are based on Intersils Prism2/2.5/3 chipset.) Toolkit for determining 802.11 WEP keystreams and injecting traffic with known keystreams. The toolkit also includes logic for firewall rule mapping, pingscanning, and portscanning via the injection channel Freeware encryption breaker that cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling Soft AP setup utility that is designed to steal usernames and passwords from public wireless hotspots by confusing users with DNS and HTTP redirects from a competing AP Windows MAC Address Modifying Utility that allows users to change MAC address Network Interface Cards (NICs) on Windows 2000, XP , and 2003 Server systems, regardless of whether or not the manufacturer allows this option Denial-of-Service tool kit that sends spoofed authentication frames to an AP with inappropriate authentication algorithm and status codes. AP then drops connections with stations. Includes WLAN_JACK, Monkey_JACK, and hunter_killer Internet Routing Protocol Attack Suite designed to attack common routing protocols including CDP , DHCP , IGRP and HSRP
Kismet
http://www.kismetwireless.net
THC-RUT
http://www.thehackerschoice.com
Wireless LANs are too easy to install and manipulate, and users and criminals will continue to take advantage of opportunities to disrupt or damage enterprise networks.
Gartner
Etherea
http://www.ethereal.com
AirSnort
http://airsnort.shmoo.com
HostAP
http://hostap.epitest.fi
WEPWedgie
http://sourceforge.net/projects/ wepwedgie/
WEPCrack
http://sourceforge.net/projects/ wepcrack/
AirSnarf
http://airsnarf.shmoo.com/
SMAC
http://www.klcconsulting.net/smac
Airjack
http://sourceforge.net/projects /airjack/
IRPAS
http://www.phenoelit.de/irpas/
5 WHITE PAPER: Wireless LAN Security: What Hackers Know That You Dont
Tool
Website
Description
Suite for Man-in-the-Middle attacks. It features sniffing of live connections and content filtering on the fly. Additionally, it supports active and passive dissection of many protocols and includes many features for network and host analysis Password recovery tool that allows easy recovery of various kinds of passwords by sniffing the network and cracking encrypted passwords using Dictionary, Brute-Force, and Cryptanalysis attacks. Decodes scrambled passwords and analyzes routing protocols Passively monitors the network for probe request frames to identify the preferred networks of clients. Acts as an access point to allow the client to authenticate and associate Brute-Force WEP cracker that uses Dictionary attacks against WEP keys. Is usually very effective against residential gateways Toolkit that can recovers weak LEAP passwords, read captured files, or sniff the air. Can also actively de-authenticate users on LEAP networks, forcing them to re-authenticate Toolkit that can break the Cisco LEAP authentication protocol and can also spoof challenge-packets from access points, allowing the hacker to perform Dictionary attacks against all users Collection of tools for network auditing and penetration testing. Can passively spy and perform Man-in-the-Middle attacks Authentication crack tool that can use Brute-Force or a Dictionary attack against key/password used with Pre-Shared-Key IKE authentication Remote security scanner
Ettercap
http://ettercap.sourceforge.net
Cain&Abel
http://www.oxid.it
Hotspotter
www.remote-exploit.org/codes.html
WEP Attack
http://sourceforge.net/projects/ wepattack/
ASLEAP
http://asleap.sourceforge.net/
THC-LeapCracker
http://www.thc.org
DSNIFF
http://naughty.monkey.org/~ dugsong/dsniff
IKEcrack
http://ikecrack.sourceforge.net/
Nessus
http://www.nessus.org
6 WHITE PAPER: Wireless LAN Security: What Hackers Know That You Dont
Typically, in a manual WEP set up, most deployments use a single key out of four, allowing a much easier time to completely compromise the network. Though vulnerable, WEP is still in use today. The next generation of encryption uses Temporal Key Integrity Protocol (TKIP , pronounced tee-kip) to provide per-packet key mixing, an integrity check, and a re-keying mechanism. The keys are changed often enough to prevent compromise, but since the data is sent over the air, it can be captured. If not encrypted, the data can then be decoded.
Antennas
To connect with wireless LANs over a distance, hackers either use long-range, commercially available antennas, or build their own from Pringle cans or any similar metal cylinder. These antennas enable hackers to receive 802.11 signals from several thousand feet away. They can access the network while remaining completely out of sight..
As wireless networks become ubiquitous extensions of wired networks, problems with rogue access points will wane though accidental network associations and attacks against mobile laptops will increase. This makes it very important to understand the risks of wireless LAN laptops and other devices that are present in every organization.
Gartner
7 WHITE PAPER: Wireless LAN Security: What Hackers Know That You Dont
Once a hacker is associated with a LAN, the hacker is in that LAN and difficult to detect.
Gartner
Hotspotter, or a commercially available tool. (Companies such as PCTel provide commercial software that converts 802.11 devices into access points.) As the victims user station broadcasts a request to associate with an access point, the hackers soft access point responds to this request and establishes a connection between the two. Next, the soft access point provides an IP address to the victims user station. Once this is done, the hacker can scan the victims station with tools designed to find Windows vulnerabilities. The hacker can then steal information, install Trojan horses or other spyware, and if it is connected to the wired network, use the victims station as a launch pad to get access to other servers. Wireless LANs are subject to diversion. Stations do not always know to which access point or network they are connecting. Stations can be tricked or forced to connect to a malicious access point, since there is often no authentication of the access point. This is Open System Interconnection (OSI) Layer 2 (data link) vulnerability. Layer 3 (network) authentication offers no protection against it, nor does the use of virtual private networks (VPNs). Wireless LANs with 802.1x-based authentications (at Layer 2) do help protect against malicious associations, but are vulnerable. A malicious associations attack does not try to break the VPN or other security measures. Instead, it takes over the client at Layer 2. To prevent user stations from connecting to unauthorized access points and networks, enterprises must constantly monitor the airwaves of their wireless LANs to be aware of any potential hazards.
Some enterprises secure their wireless LAN by using an authorized list of station MAC addresses for authentication. While this method provides some security for smaller deployments, MAC addresses were never intended for this use. Even if you are using encryption or VPN, MAC addresses are always in the air. With software tools such as Kismet or Ethereal, a hacker can easily capture the MAC address of a valid user. To perform identity theft, a hacker can change his MAC address to the victims MAC address using a spoofing utility such as SMAC (Spoof MAC), or, manually change the Windows registry entry. Once this has been done, the hacker can connect to the wireless LAN, bypassing any MAC address filtering. There is a misconception that identity theft is only feasible if the MAC address is used for authentication, and that 802.1x-based authentication schemes such as LEAP are totally safe. Cracking LEAP to steal identity has become easy with tools like ASLEAP and THC-LeapCracker. Other authentication schemes, such as EAP-TLS and PEAP , may require more sophisticated attacks that exploit other known vulnerabilities in wired side authentication schemes, but are feasible. RF monitoring allows users to ensure that proper authentication is being enforced. In addition, excessive authentication attempts may also indicate a malicious attempt by a hacker.
Man-in-the-Middle Attacks
One of the more sophisticated attacks, the Man-inthe-Middle attack, breaks VPN connections between authorized stations and access points by inserting a malicious station between the victims station and the access point. The hacker becomes the man in the middle. These attacks are very similar to wired side Manin-the-Middle attacks, and tools to exploit these attacks on the wired-side can be easily used on the wireless network. Getting into the middle of a communication session is a problem on the wired side. This process is much easier with wireless networks. Using SoftAP software, a hacker can easily convert a wireless device into a soft access point, and position that access point in the middle of the communication session.
8 WHITE PAPER: Wireless LAN Security: What Hackers Know That You Dont
The more sophisticated Man-in-the-Middle attack preys upon challenge and handshake protocols to perform a de-authentication attack. The deauthentication attack knocks a user from an access point, causing the user to search for a new access point with which to connect. With the hackers SoftAP access point running, the user reconnects to the hackers laptop, PDA, or other device. Now the hacker, with a different wireless interface, connects to the real wireless LAN, passing all authentication traffic to the real wireless network. The victim is oblivious to this, and passes all data through the hacker. This scenario is possible because VPNs establish their connection at Layer 3 in the OSI model, while wireless exists below the VPN, at Layer 1 and Layer 2. Once connected, the hacker can use tools like DSNIFF , Ettercap, IKEcrack, or other Man-in-theMiddle tools to downgrade or rollback VPN security until traffic is in either in clear-text, or begins using an easily-broken weak encryption. This is a common problem in most VPN protocols, such as IPSEC, PPTP , SSH, SSL, and L2TP . Additionally, freeware tools, including Wireless LANjack and AirJack, enable hackers to launch a Man-in-the-Middle attack by automating the multiple steps required to perform it. Only a highly capable Intrusion Detection System (IDS) and 24-hour monitoring can detect these types of attacks on a wireless LAN. An effective security solution keeps a constant watch on the network, while simultaneously analyzing the network activity. Since this type of attack is not based on a single signature, a wireless IDS must be able to correlate and analyze data to show that this type of attack is occurring.
directed against a specific user station to prevent that station from communicating with the network, against a specific access point to prevent stations from connecting with it, or as an attack against all network devices. In this last case, the attack shuts down all wireless LAN activity. A hacker can abuse the Extensible Authentication Protocol (EAP) to launch a DoS attacks against the authentication server, flooding it with requests to be processed. This prevents valid users from authenticating to the wireless LAN, and causes a DoS across the entire enterprise. Additionally, this can result in an outage of the wired network. The Unofficial 802.11 Security Web Page at www. drizzle.com lists forms of DoS attacks launched by manipulating EAP-to-target wireless stations and access points with log-off commands, start commands, premature successful connection messages, failure messages, and other modifications of EAP .
9 WHITE PAPER: Wireless LAN Security: What Hackers Know That You Dont
Rogue sniffers initiate the DoS attack by echoing manipulated Spanning Tree sessions back to the wireless LAN access point. The access point echoes the packets to other internal hosts, causing a domino effect. Spanning Tree attacks usually render intelligent hubs, bridges, routers, and switches inoperative, requiring the devices to be rebooted or reconfigured to make them functional. Routing attacks are another popular prey for enterprise DoS attacks. A hacker can use tools such as IRPAS or Routing Attack Tool to inject bogus routing updates into the network, changing the default gateways or destroying routing tables. Any rogue access point on the network that is not filtered by a gateway opens the network to this damaging attack. Motorola has discovered that nearly one out of five corporate networks surveyed are vulnerable to this form of attack.
4) Exploit discovered vulnerabilities in the wireless LAN. These methods are the same as those a hacker would use to exploit a wired network. These attacks are completely passive in most cases, so impossible to detect, but the longer the hacker is allowed to sniff, the more the data is compromised. Use Ethereal or another protocol analyzer to sniff the airwaves, grab all wireless traffic, and obtain a valid MAC address and IP address. Capture wired broadcast traffic (IPX, NetBIOS, ARP , OSPF , Windows Broadcasts, and other types of Traffic) to map out the network. Again use Ethereal to look for clear-text protocols, such as Telnet, POP , or HTTP , or to look for authenticated traffic, to capture usernames and passwords. 5) Use tools like SMAC to spoof a MAC address, to bypass any MAC address filters, and eliminate a common known MAC address tied to the user. 6) Use Windows Wireless to add the network to the preferred connection lists, or a client utility to connect to the target wireless LAN 7) Launch a DOS prompt and run IPCONFIG to see if there is an assigned IP address. 8) Roam the network after obtaining an IP address. 9) Use a vulnerability scanner, such as Nessus to scan for vulnerable user stations, and access points, or other devices that are attached to the wireless network. From the above, it is easy to see that it does not take much expertise to find open access points or user laptops which function as backdoors to log into a corporate network. For this reason, it is important to monitor for any insecure access points or LANs and lock them down.
10 WHITE PAPER: Wireless LAN Security: What Hackers Know That You Dont
Organizations should deploy strong encryption and authentication standards (for e.g.: WEP , PEAP , WPA, LEAP etc.) and install VPNs to secure communication across the wireless networks. Like a video camera that monitors all activity in a secure building 24 hours a day, a critical layer of wireless LAN security requires continuous monitoring of the network to identify rogue WLANs, detect intruders and impending threats, terminate and locate unauthorized connections and enforce WLAN security policies. Motorolas Wireless IPS provides the most advanced solution for control of the airwaves, security, policy and operational support for wireless networks. As a key layer of security, Motorolas Wireless IPS complements wireless VPNs, encryption & authentication. Using patentpending technology to correlate and analyze the monitored data, Motorolas Wireless IPS provides the industrys most accurate intrusion prevention for wireless networks.
11 WHITE PAPER: Wireless LAN Security: What Hackers Know That You Dont
motorola.com Part number WP-ENTERPRISERISK. Printed in USA 05/08. MOTOROLA and the Stylized M Logo and Symbol and the Symbol Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. Motorola, Inc. 2008. All rights reserved. For system, product or services availability and specific information within your country, please contact your local Motorola office or Business Partner. Specifications are subject to change without notice.